Recipe Name:
XXE: Set missing secure processing feature
Description:
Could lead to XXE
Level:
error
Language:
  • java
Tags:
  • OWASP Top 10
  • XML
  • XXE
  • basic protection set
  • security
Documentation

Secure coding practices prescribe that all XML processors should be configured to enable the secure processing features. This feature should be enabled explicitly where applicable.

An instance of a factory should have the secure processing feature enabled before creating a new instance of the desired XML processor. This can be achieved by using one of the following methods:

factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setSchema(Schema);

Where factory is an instance of:

  • DocumentBuilderFactory
  • TransformerFactory
  • SAXParserFactory
  • SchemaFactory
  • XPathFactory
Correct code example: 
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.XMLConstants;
...
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setValidating(false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Resources
Recipe 
id: scw:xml:missing-secure-processing
version: 10
metadata:
  name: 'XXE: Set missing secure processing feature'
  shortDescription: Could lead to XXE
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:xml
  cweCategory: 611
  enabled: true
  descriptionFile: Java/XML/descriptions/java_enable_xml_secure_processing.html
  tags: OWASP Top 10;XML;XXE;basic protection set;security
search:
  methodcall:
    not:
      followedBy:
        methodcall:
          args:
            1:
              referenceTo:
                name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
          name: setFeature
    name: newInstance
    declaration:
      type:
        reference:
          anyOf:
          - is: javax.xml.xpath.XPathFactory
          - is: javax.xml.validation.SchemaFactory
          - is: javax.xml.transform.TransformerFactory
          - is: javax.xml.parsers.SAXParserFactory
          - is: javax.xml.parsers.DocumentBuilderFactory
        checkInheritance: true
availableFixes:
- name: Set FEATURE_SECURE_PROCESSING true
  actions:
  - addMethodCall:
      name: setFeature
      arguments:
      - javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
      - "true"
      position: first-available-spot